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SECURE EXECUTION ARCHITECTURE 

Cross -Reference to Related Application 

Priority is claimed under 35 U.S.C. 119 from 
International Application PCT/IB02/03216 filed August 13, 
2002 . 

Technical Field of the Invention 

The present invention relates to circuitry for 

providing data security, which circuitry contains at 

least one processor and at least one storage circuit. The 
present invention also relates to a method for providing 
data security in circuitry containing at least one 
processor and at least one storage circuit. 

Background Art 

Various electronic devices, such as mobile tele- 
communication terminals, portable computers and PDAs 

require access to security related components such as 
application programs, cryptographical keys, 
cryptographical key data material, intermediate 
cryptographical calculation results, passwords, 
authentication of externally downloaded data etc. It is 
often necessary that these components, and the processing 
of them, is kept secret within the electronic device. 
Ideally, they shall be known by as few people as possible. 
This is due to the fact that a device, for example a 
mobile terminal, could possibly be tampered with if these 
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components are known. Access to these types of components 
might aid an attacker with the malicious intent to 
manipulate a terminal . 

Further, in the devices, these above mentioned 
5 security related components will be handled, processed and 
managed alongside more general components which do not 
require any secure processing. Therefore, a secure 
execution environment is introduced in which environment a 
processor within the electronic device is able to access 

10 the security related components. Access to the secure 

execution environment, processing in it and exit from it 
should be carefully controlled. Prior art hardware 
comprising this secure environment is often enclosed 
within a tamper resistant packaging. It should not be 

15 possible to probe or perform measurements and tests on 

this type of hardware which could result in the revealing 
of security related components and the processing of them. 

An electronic device processing information in a 

secure environment and storing security related 
20 information in a secure manner is shown in US patent No. 
5,892,900. The patent discloses a virtual distribution 
environment securing, administering and controlling 
electronic information use. It comprises a rights 
protection solution for distributors, financial service 
25 providers, end-users and others. The invention uses 
electronic devices called Secure Processing Units to 
provide security and secure information storage and 
communication. Such a device, including a processor, is 
enclosed within a "tamper resistant security barrier", 
30 separating the secure environment from the outer world. 

The electronic device provides both the secure environment 
and an unsecure environment, in which latter case the 
processor of the device has no access to the security 
related information . 
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A problem that has to be solved is to enable for a 
third party to perform testing, debugging and servicing of 
the electronic device and its software without risking 
that the third party is given access to information which 
5 makes it possible to manipulate the security related 
components of the device so as to affect the security 
functions when in the secure environment. It should be 
possible to move between the two environments smoothly, 
without having to initialize one or the other every time a 
10 movement is effected. 

Summary of the Invention 

It is an object of the present invention to 
provide a solution to the above given problem by 
proposing an architecture comprising a secure 

15 environment in which it is possible to store and 

process information such as cryptographical keys and 
other security related data in a secure way and still 
making it possible to test and debug the architecture 
and its accompanying software in an unsecure 

20 environment without giving access to the security data. 

According to the first aspect of the invention, 
circuitry is provided comprising at least one storage area 
in a storage circuit, in which storage area protected data 
relating to circuitry security are located- The circuitry 

25 is arranged with mode setting means arranged to place a 
processor comprised in the circuitry in one of at least 
two different operating modes, the mode setting means 
being capable of altering the processor operating modes. 
Further, it comprises storage circuit access control means 

30 arranged to control the processor to gain access to the 

storage area in which protected data are located based on 
a first processor operating mode, and arranged to prevent 
the processor from accessing the storage area in which 
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protected data are located, based on a second processor 
operating mode, thereby enabling the processor to execute 
non-verified software downloaded into the circuitry. 

According to the second aspect of the invention, a 
5 method is provided wherein protected data relating to 
circuitry security is stored in a storage circuit . A 
processor is set in one of at least two different 
alterable operating modes. The method further comprises 
the step of enabling the processor to access a storage 

10 area in which the protected data are located by setting 

the processor in a first operating mode and preventing the 
processor from accessing the storage area in which 
protected data are located by setting the processor in a 
second operating mode, thereby enabling the processor to 

15 execute non-verified software downloaded into the 
circuitry. 

The invention is based on the idea that circuitry is 
provided in which a processor is operable in at least two 
different modes, one first secure operating mode and one 

20 second unsecure operating mode. In the secure mode, the 
processor has access to security related data located in 
various memories located within the circuitry. The 
security data include cryptographical keys and algorithms, 
software for booting the circuitry, secret data such as 

25 random numbers used as cryptographical key material, 

application programs etc. The circuitry can advantageously 
be used in mobile telecommunication terminals, but also in 
other electronic devices such as computers, PDAs or other 
devices with need for data protection. In the case where 

30 the circuitry is placed within a mobile telecommunication 
terminal, it might be desirable that the circuitry 
provides the terminal with a unique identification number 
and accompanying keys for cryptographic operations on the 
identification number. The access to these security data 
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and the processing of them need to be restricted, since an 
intruder with access to security data could manipulate the 
terminal- When testing and/or debugging the terminal, 
access to security information is not allowed. For this 
5 reason, the processor is placed in the unsecure operating 
mode, in which mode it is no longer given access to the 
protected data. 

The invention advantageously enables the processor 
of the circuitry to execute non-verified software 

10 downloaded into the circuitry. This allows testing, 

debugging and servicing of the electronic device and its 
software without risking that a third party is given 
access to information which makes it possible to 
manipulate the security related components of the device 

15 so as to affect the security functions when in the secure 
environment . 

It should be noted that in US patent No. 5,8 92,900, 
the unsecure mode is the "normal" mode, used when 
transactions and communications must be secure, whereas in 

20 the present invention, the secure mode is the normal mode. 
In the present invention, unsecure mode is only entered 
during testing and/or debugging or other types of special 
cases when security data must be protected, i.e. when 
secure mode can not be practically maintained. 

25 The present invention eliminates the use for special 

purpose terminals adapted for use in research and 
development. During a development stage, it is sometimes a 
requirement to be able to download untrusted and/or 
unchecked code into terminals. By enabling the unsecure 

30 mode, a channel is provided into the terminal without 
giving access to security related components. 
Consequently, the same terminal can be utilized for normal 
operation as well as in the development stage. It should 
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be understood that it is rather expensive to manufacture 
special purpose terminals. 

According to an embodiment of the invention, the 
circuitry of the invention is arranged with a timer 
5 controlling the time period during which the processor is 
in the unsecure mode. If other security controlling 
actions should fail, a maximum given time period is set 
during which access is given to unsecure processor mode. 
This restrains the possibility for an intruder to perform 
10 debugging and testing of the device. 

According to another embodiment of the invention, 
authentication means are provided, which means being 
arranged to authenticate data externally provided to the 
terminal . An advantage with this feature is that during 

15 the manufacturing stage, and other stages where normal, 
secure operating mode is not yet activated, the terminal 
can be used for a limited time period, sufficient to load 
accepted, signed code into the terminal. It is also 
possible to download signed code packages into the 

20 terminal during secure mode operation. This facilitates 
the possibility to add new security features to the 
terminal, bringing flexibility to the architecture. The 
architecture enables the applications to be divided into 
secure and unsecure parts. The circuit checks the code 

25 packages which are signed appropriately. Secure applica- 
tions are downloaded to, and executed from, the storage 
area holding the protected data. This makes downloading of 
data smoother. If this feature was not present, it would 
be necessary to download secure applications and unsecure 

30 applications separately. 

According to yet another embodiment of the invention, 
the circuitry is arranged with means for indication of the 
mode in which the processor is operating. It is 
appropriate that a mode register is set within the 
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circuitry, keeping track of the current mode. In case the 
circuitry is arranged within a mobile telecommunication 
terminal, it should be possible to indicate on the 
terminal display, via the terminal loudspeaker or in any 
other visual way, to a terminal user the fact that the 
terminal is operating in unsecure mode. This will draw the 
user's attention to the fact that unsecure mode has been 
entered. 

In accordance to further embodiments of the present 
invention, the mode setting means arranged to control the 
modes of the processor comprise an application program. 
This has the advantage that the mode could be set by the 
device itself, not having to rely on external signals. 
From a security viewpoint, this is preferable since by 
controlling the application software, the setting of 
processor modes can also be controlled. It is also 
possible to have an external signal connected to the 
circuitry, by which signal it is possible to control the 
processor mode. By using an external signal, a mode change 
can be executed easy and fast, which can be advantageous 
in test environments. A combination of these two mode 
setting means is feasible. 

Brief Description of the Drawings 

The present invention will be described in greater 
detail with reference to the following drawings, wherein: 

Fig. 1 shows a block diagram of a preferred 
embodiment of circuitry for providing data security 
according to the present invention; and 

Fig. 2 shows a flow chart of a boot process for the 
circuitry according to the present invention. 



Description of Preferred Embodiments of the Invention 

Fig. 1 shows a block diagram of a preferred 
embodiment of the present invention. As can be seen, the 
architecture in Fig. 1 contains both software and 
5 hardware. The architecture is implemented in the form of 
an ASIC (Application Specific Integrated Circuit) . The 
processing part of the architecture contains a CPU and a 
digital signal processor DSP. These two processor can be 
merged into one single processor. Normally the CPU handles 
10 communication operations and the DSP handles the 
computation of data. 

The secure environment comprises a ROM from which the 
ASIC is booted. This ROM contains boot application 
software and an operating system OS. The operating system 

15 controls and executes applications and offers various 

security services to the applications such as control of 
application software integrity and access control. The 
operating system has access to the ASIC hardware and it 
cannot itself provide rigorous hardware security, but it 

20 must rely on the security architecture. 

Certain application programs residing in the secure 
environment, i.e. the protected data storage area, has 
precedence over other application programs. In a mobile 
telecommunication terminal, in which the ASIC can be 

25 arranged, a boot software should exist, which software 

includes the main functionality of the terminal. It is not 
possible to boot the terminal to normal operating mode 
without this software. This has the advantage that by 
controlling this boot software, it is also possible to 

30 control the initial activation of every terminal. 

The secure environment also comprises RAM for storage 
of data and applications. The RAM preferably stores so 
called protected applications, which are smaller size 
applications for performing security critical operations 
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inside the secure environment. Normally, the way to employ 
protected applications is to let "normal" applications 
request services from a certain protected application. New 
protected applications can be downloaded into the secure 
environment at any time, which would not be the case if 
they would reside in ROM. Secure environment software 
controls the download and execution of protected 
applications. Only signed protected applications are 
allowed to run. The protected applications can access any 
resources in the secure environment and they can also 
communicate with normal applications for the provision of 
security services. 

In the secure environment, a fuse memory is comprised 
containing a unique random number that is generated and 
programmed into the ASIC during manufacturing. This random 
number is used as the identity of a specific ASIC and is 
further employed to derive keys for cryptographic 
operations. Further, storage circuit access control means 
in the form of a security control register is arranged. 
The purpose of the security control register is to give 
the CPU access to the secure environment, or preventing 
the CPU from accessing the secure environment, depending 
on the mode set in the register.. The processor operating 
modes can be set in the register by application software, 
resulting in the fact that the architecture does not have 
to rely on external signals. From a security viewpoint, 
this is preferable since by controlling the application 
software, the setting of processor modes can also be 
controlled. It is also possible to have an external signal 
(not shown) connected to the ASIC, by which signal it is 
possible to set the security control register. By using an 
external signal, a mode change can be executed easily and 
quickly, which can be advantageous in test environments. A 
combination of these two mode setting means is feasible. 



Preferably, the mobile telecommunication terminal 
should indicate on the terminal display, via the terminal 
loudspeaker or in any other visual way, to a terminal 
user the fact that the terminal is operating in unsecure 
mode. This will make the user aware of the fact that 
unsecure mode has been entered. 

A watchdog is arranged for various timer purposes. In 
case signature verification of downloaded software fails, 
checksums does not match or some other error is detected, 
the operation of the ASIC, or the mobile telecommunication 
terminal it is arranged in, should stop. This should 
preferably not be done immediately when the error occurs . 
A random timeout, e.g. different time spans up to 3 0 
seconds, is desired. This makes it more difficult for an 
attacker to detect the instant at which the terminal has 
detected the error. The disabling of watchdog updating is 
set in the security control register. The result of this 
operation is that the terminal will reset itself. The 
watchdog can also control the time period during which the 
processor is in the unsecure mode. If other security 
controlling actions should fail, a maximum given time 
period is set during which access is given to unsecure 
processor mode. This restrains the possibility for an 
intruder to perform debugging and testing of the device. 

The CPU is connected to the secure environment 
hardware via a memory management unit MMU that handles 
memory operations. It also maps virtual addresses to 
physical addresses in memory for processes executed in the 
CPU. The MMU is located on a bus containing data, address 
and control signals. It is also possible to have a second 
MMU arranged to handle the memory operations for the ASIC 
RAM located outside the secure environment . A standard 
bridge circuit for limitation of data visibility on the 
bus is arranged within the ASIC. The architecture should 
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be enclosed within a tamper resistant packaging. It should 
not be possible to probe or perform measurements and tests 
on this type of hardware which could result in the 
revealing of security related components 
and the processing of them. The DSP has access to other 
peripherals such as a direct memory access (DMA) unit. 
DMA is provided by the architecture to allow data to be 
sent directly from the DSP to a memory. The DSP is freed 
from involvement with the data transfer, thus speeding up 
overall operation. Other peripherals such as RAMs, flash 
memories and additional processors can be provided 
outside the ASIC. A RAM is also arranged outside the 
secure environment in the ASIC, which RAM holds the non- 
verified software executed by the CPU. 

By providing the above described architecture in 
which the CPU is operable in two different modes, one 
secure operating mode and one unsecure operating mode, the 
CPU of the architecture can be enabled to execute non- 
verified software downloaded into the ASIC. This is due to 
the fact that only verified software has access to the 
secure environment. This allows testing, debugging and 
servicing of the mobile telecommunication terminal and its 
software without risking that a third party is given 
access to information which makes it possible to 
manipulate the security related components of the device 
so as to affect the security functions when in the secure 
environment . 

In the secure mode, the processor has access to 
security related data located within the secure 
environment. The security data include cryptographical 
keys and algorithms, software for booting the circuitry, 
secret data such as random numbers used as cryptographical 
key material, application programs etc. The circuitry can 
advantageously be used in mobile telecommunication 
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terminals, but also in other electronic devices such as 
computers, PDAs or other devices with need for data 
protection. The access to these security data and the 
processing of them need to be restricted, since an 
intruder with access to security data could manipulate 
the terminal. When testing and/or debugging the terminal, 
access to security information is not allowed. For this 
reason, the processor is placed in the unsecure operating 
mode, in which mode it is no longer given access to the 
protected data within the secure environment . 

Fig. 2 illustrates a flow chart of the power up boot 
process for the architecture. At power up, ROM boot 
software activates secure mode for initial configuration. 
Then, signatures for the first protected application and 
operating system to be downloaded are checked. If the 
signatures are correct, the application and the operating 
system is downloaded into the secure environment RAM. When 
the desired software has been downloaded, the CPU is 
informed that the download is completed and the CPU starts 
executing the verified software. The operating system and 
protected application have thus been downloaded into the 
secure environment in a secure and trusted manner. 

However, if the signature check fails or if no 
signature is present, unsecure mode is activated and the 
non-verified application is loaded into the ASIC RAM 
located outside the secure environment. Possibly, the 
watchdog is set to limit the time period during which the 
unsecure mode is activate. A maximum time period is set 
during which the unsecure mode is active. When boot is 
completed, this non-verified application is executed by 
the CPU. The secure environment is now inaccessible. 

Even though the invention has been described with 
reference to specific exemplifying embodiments thereof, 
many different alterations, modifications and the like 
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will become apparent for those skilled in the art. The 
described embodiments are therefore not intended to limit 
the scope of the invention, as defined by the appended 
claims . 
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